Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-64920

keepalived fails to create /run/keepalived/<Namespace> when SELinux is in Enforcing mode

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • rhel-8.10
    • keepalived
    • No
    • Moderate
    • rhel-sst-openshift
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • Red Hat Enterprise Linux
    • None
    • None
    • None
    • All
    • None

      What were you trying to do that didn't work?

      A customer is trying to setup keepalived in a network namespace name "LB".
      When SELinux is in Enforcing mode, the service fails to start because of the following AVC denial:

      type=PROCTITLE msg=audit(10/25/2024 11:48:05.873:172) : proctitle=/usr/sbin/keepalived -D 
      type=PATH msg=audit(10/25/2024 11:48:05.873:172) : item=0 name=/run/keepalived/ inode=74382 dev=00:18 mode=dir,600 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:keepalived_var_run_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
      type=CWD msg=audit(10/25/2024 11:48:05.873:172) : cwd=/ 
      type=SYSCALL msg=audit(10/25/2024 11:48:05.873:172) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x5601a764db18 a2=O_WRONLY|O_CREAT|O_TRUNC|O_NOFOLLOW a3=0x1a4 items=1 ppid=1 pid=4548 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=keepalived exe=/usr/sbin/keepalived subj=system_u:system_r:keepalived_t:s0 key=(null) 
      type=AVC msg=audit(10/25/2024 11:48:05.873:172) : avc:  denied  { dac_override } for  pid=4548 comm=keepalived capability=dac_override  scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:system_r:keepalived_t:s0 tclass=capability permissive=0 
      

      Here above a dac_override AVC is seen when creating /run/keepalived/LB directory.
      This occurs because the parent directory, /run/keepalived got 0600 permissions when getting created by mkdir, despite being created with 0755 permissions, as seen in the strace:

      3186  [system_u:system_r:keepalived_t:s0] 11:39:16.022254 mkdir("/run/keepalived/", 0755) = 0 <0.000013>
       :
      3186  [system_u:system_r:keepalived_t:s0] 11:39:16.023593 mkdir("/run/keepalived/LB", 0755) = -1 EACCES (Permission denied) <0.000119>
      

      The exact reason is keepalived applies a 0177 mask early during startup:

      3186  [system_u:system_r:keepalived_t:s0] 11:39:16.018792 umask(0177) = 022 <0.000005>
      

      Through applying this mask, 0755 becomes 0600, preventing the /run/keepalived directory from being executable, hence causing the dac_override in the end.

      Corresponding source code is:

        66 mode_t umask_val = S_IXUSR | S_IRWXG | S_IRWXO;
      
      2043 /* Entry point */
      2044 int
      2045 keepalived_main(int argc, char **argv)
      2046 {
       :
      2085         /* Set default file creation mask */
      2086         umask(umask_val);
      

      This mask is either not correct, or should be amended when creating /run/keepalived is Network Namespace creation:

      222 static void
      223 set_run_mount(const char *net_namespace)
      224 {
       :
      235         if (mkdir(mount_dirname, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH) && errno != EEXIST) {
      236                 log_message(LOG_INFO, "Unable to create directory %s", mount_dirname);
      237                 free_dirname();
      238                 return;
      239         }
       :
      

      What is the impact of this issue to you?

      Cannot start keepalived when configuring a network namespace

      Please provide the package NVR for which the bug is seen:

      keepalived-2.1.5-9.el8

      How reproducible is this bug?:

      Always

      Steps to reproduce

      1. Start the service with a network namespace configuration, e.g.
        net_namespace LB
        global_defs {
            router_id 102 # Unique id
            enable_script_security
        }
        
        vrrp_instance VI_1 {
        [...]
        }
        

      Expected results

      No failure to start

      Actual results

      Failure and AVC

              rhn-support-ccaulfie Christine Caulfield
              rhn-support-rmetrich Renaud Métrich
              Ryan O'Hara Ryan O'Hara
              Cluster QE Cluster QE
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: